diff --git a/README.md b/README.md
index 2649f866594c5935207751fedaecc10ff1a981d2..3651a876be2defbc00464dd954eb111fb6661d44 100644
--- a/README.md
+++ b/README.md
@@ -211,6 +211,7 @@ Set file permissions on the installed certificate differently depending on wheth
 Define RADIUS clients as seen in `clients.conf`
 
 ```puppet
+# Single host example
 freeradius::client { "wlan-controller01":
   ip        => '192.168.0.1',
   secret    => 'testing123',
@@ -221,12 +222,41 @@ freeradius::client { "wlan-controller01":
 }
 ```
 
+```puppet
+# Range example on FreeRADIUS 2
+freeradius::client { "wlan-controllers":
+  ip        => '192.168.0.0',
+  netmask   => '24',
+  secret    => 'testing123',
+  shortname => 'wlc01',
+  nastype   => 'other',
+  port      => '1645-1646',
+  firewall  => true,
+}
+```
+
+```puppet
+# Range example in FreeRADIUS 3
+freeradius::client { "wlan-controllers":
+  ip        => '192.168.0.0/24',
+  secret    => 'testing123',
+  shortname => 'wlc01',
+  nastype   => 'other',
+  port      => '1645-1646',
+  firewall  => true,
+}
+```
+
 ##### `ip`
-The IP address of the client or range in CIDR notation.  For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`.
+The IP address of the client or range. For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied.
+On FreeRADIUS 2, specify the netmask separately. On FreeRADIUS 3, set `ip` in CIDR format. Default: `undef`.
 
 ##### `ip6`
 The IPv6 address of the client or range in CIDR notation. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`.
 
+##### `netmask`
+The netmask of the client, specified as an integer, e.g. `24`. Only to be set on FreeRADIUS 2. Default: `undef`.
+
 ##### `shortname`
 A short alias that is used in place of the IP address or fully qualified hostname provided in the first line of the section. Required.
 
diff --git a/manifests/client.pp b/manifests/client.pp
index 500ab6d9aed6ba7d5109d0ed919e9e29ed3a9239..542b9f9fa2de3df28ff5d7cc816c47c80d412bb4 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -30,7 +30,7 @@ define freeradius::client (
     default => "${ip6}/${netmask}",
   }
 
-  if ($netmask) {
+  if ($netmask and $fr_version == 3) {
     warning("netmask field found in client ${shortname} is deprecated, use CIDR notation instead. Please fix your configuration.")
   }
 
diff --git a/templates/client.conf.fr2.erb b/templates/client.conf.fr2.erb
index 4da0535962eb051522f0fdca725dae0c17f90543..c7d9c28fd3f732935b7331bc4b9dddf81db5f1c7 100644
--- a/templates/client.conf.fr2.erb
+++ b/templates/client.conf.fr2.erb
@@ -1,6 +1,7 @@
 client <%= @shortname %> {
-	<% if @ip %>ipaddr= <%= @cidr %><% end %>
-	<% if @ip6 %>ipv6addr = <%= @cidr6 %><% end %>
+	<% if @ip %>ipaddr= <%= @ip %><% end %>
+	<% if @ip6 %>ipv6addr = <%= @ip6 %><% end %>
+	<% if @netmask %>netmask = <%= @netmask %><% end %>
 	shortname = <%= @shortname %>
 	secret = "<%= @secret %>"
 	<% if @virtual_server %>virtual_server = <%= @virtual_server %><% end %>